Firewall with IDS in OpenBSD 3.2

You are here

Solution
OpenBSD and its packet filter are free and have a good history of tight security.

Introduction

Difference in OpenBSD releases

PF in OpenBSD has gone through a history of changes. OpenBSD through version 2.9 had IPF, written by Darren Reed. One day Darren made some
confusion on the OpenBSD mailing lists about the licensing of his IPF software in operating
systems. The OpenBSD authors didn't like it and someone decided they would make their own packet filter, just for OpenBSD. The packet filter
candidate from Daniel Hartmeier was released on http://www.benzedrine.cx/pf.html and was
accepted by the core developers into the OpenBSD kernel. The official release of PF was in OpenBSD 3.0. Between the 3.0 release and 3.2,
PF stayed relatively unchanged.

The addition of PF made the rulesets from IPF incompatible with those from IPF. In other words, rules from OpenBSD 2.9 or before won't work
with PF on a OpenBSD 3.0 or newer machine. Also note that PF started getting a large clump of changes in OpenBSD 3.3, where the kernel
developers decided to merge ALTQ (traffic shaping) and PF so the packet filter could also do traffic shaping. I'd link to ALTQ docs, but
by the time I wrote this, they had already started being merged in the snapshot sources of OpenBSD with the PF documentation.

Preparation

Methods

There are two ways you can get an install started, by CD or Floppy. I'll assume that since you're using OpenBSD, you want something
free, so that rules out the possibility that you bought a OpenBSD release CD from the
website, even though you should have.

Floppy Method

Download rawrite. The link, unless dead, should go to a rawrite for
windows that has a GUI. All other versions you'll find on the internet work with a DOS prompt. Whether from a DOS window or a GUI, you'll
need a copy of rawrite to write a copy of the boot image (OpenBSD 3.2 link)
to a floppy disk. Open rawrite and write the floppy32.fs file to the floppy disk.

Notice other releases will have floppy image filenames that match the version release. For example, OpenBSD 3.3 will have a floppy33.fs.

The aforesaid will cover most hardware configurations. If you know you have some weird hardware in the machine you're going to be installing
OpenBSD on, there are actually two other floppy images with different hardware support. From the documentation:

floppyB32.fs (Servers) supports many RAID controllers, and some of the less common SCSI adapters. However, support for many standard SCSI adapters and many EISA and ISA NICS has been removed.

floppyC32.fs (Laptops) supports the Cardbus and PCMCIA devices found in many laptops.

In almost all cases, you'll want the link above.

CD-R(W) method

This method will require you to download the install files before installation. Using Bulletproof FTP or CuteFTP might be a good idea here.
What you will want is to create a directory called "3.2", or
whatever version number you download and go to the version directory for that release of OpenBSD. For version 3.2, that would be
ftp://ftp.openbsd.org/pub/OpenBSD/3.2/. Don't forget OpenBSD has many FTP mirrors such
as ftp://ftp.usa.openbsd.org/pub/OpenBSD/3.2/

Again, note that if you are installing OpenBSD 3.3 or newer, the filenames won't end with 32, but rather 33 or 34, and so on.

The same tools that you can use on Linux or BSD are available in Windows to make ISO files. OpenBSD doesn't release ISO files to OpenBSD
because they need CD sales to support the full time developers. Thanks to official Windows ports of

mkisofs

, just grab a
copy of cdrtools from the official
cdrecord website. Sometimes the
windows binaries of cdrtools get moved on the ftp server, so you might have to hunt around.

When the ISO is done, use Roxio Easy CD Creator 5 or your favorite burning program to burn it. If you don't have it, cdrecord is in the
cdrtools distribution. I haven't tried it, but mkisofs works, so cdrecord probably does too. Documentation is all over the internet for
cdrecord.

Install OpenBSD

From here, it is only better to refer you to the official installation document. It is
well written and should get you through the installation process, whether you bought a CD, created one, or made a floppy.

Install Notes

If you did the floppy install, during the install, you'll have the option to get the installation files from FTP and that is what you will do.

To make an invisible firewall, you might ask yourself how it will be invisible if you have to configure a network device during the install.
Don't worry about that now. Configure a device because we will need it both to grab operating system updates and to have an interface to
use to get updates later if needed. You should have three interfaces in your machine for this document. Two will be invisible, and one will be
for administration. Just configure one device during install, and leave the other two alone. If you want to configure all of them, you can do
that too, because later, they will just be re-configured to be invisible.

However you partition your drive, it is a good idea to leave 2gb for the

/usr

partition.

When you're done with the install, type "reboot".

When the system comes back up to a login prompt, the administrator account is "root" and the password is whatever you set during the
installation.

Configuring your machine with DHCP will be fine for the start. Later in this document will be
instructions on how to set a static IP address. If you already know what static IP address you
will use, go ahead and set it.

The network interface cards in the machine are numbered. For example, the a 3com NIC will use the

xl

kernel driver. The card furthest from the CPU is card 0, and each card closer
increments by one, so if you have 4 NICs, the one closest to the CPU would be xl3.

This tutorial assumes you use 3com 905 NIC. Other network cards will have other kernel driver names
in the kernel. When you start up your system, you can do

# dmesg > dmesg
# grep -e "..:..:..:..:.." dmesg
# rm dmesg

and the resulting lines should show the NICs, starting with the kernel driver and ending with
the adapter MAC address.

If you're a Windows user and don't have much experience with BSD or Linux, creating a swap partition
is mandatory. It is where all the extra memory processes go when you run out of RAM and is the
equivalent of the Windows pagefile. Making it at least twice the size of the amount of space you
have in RAM is good.

Update to -stable

Why, why and where

Although OpenBSD has a better than average record of remote and local security vulnerabilities, sometimes someone still discovers a flaw. The
OpenBSD errata page is usually updated with patches for vulnerabilities or stability flaws.
For purposes of explaining how to do an operating system upgrade, we'll skip the method that would use the src.tar.gz and srcsys.tar.gz files
from the OpenBSD install tree. If you want to use the src.tar.gz and srcsys.tar.gz files, the patch
branches page provides some information and links to get started in that direction.

Method 1a: Installing kernel and system binary sources from CD

If you have the official CD, you will only have one src.tar.gz file which contains srcsys.tar.gz.

During this process, it might look like your system stalled out downloading updates. Most likely it hasn't. The CVS process must still check
each file in the source tree to make sure it matches the server. By doing the tar file first and then CVS, you save having to download each
individual file and instead just check against a CVS version number. Files that have security updates will have a newer CVS version than
the copy on your machine. When the cvs command sees the version difference, it will patch the file on your system to match the one on
the server.

Method 3: Downloading kernel and system binary sources from CVS

Don't do this step if you already did the stuff above with the tar files. This method will download the contents of src.tar.gz and srcsys.tar.gz
and put them in /usr/src for you complete with up-to-date patches.

Say yes when it wants to confirm the SSH fingerprint. Note the OPENBSD_3_2 corresponds to the version number. OpenBSD 3.0 would have
OPENBSD_3_0 for downloading the stable kernel source. Downloading with CVS will take a while, so while you wait, you can get started on
downloading ports.

Try hitting

CTRL+ALT+F2

. You didn't just log out, you switched to another console. Log in again on the second console. You can
switch back to the original console by hitting

CTRL+ALT+F1

. You can use consoles with the F1, F2, F3, F4, and F6 keys. The other
function keys are reserved by the operating system for other background tasks. Now you can multitask.

Install Ports

What are they?

Ports are specially packaged software editions for
OpenBSD. They are maintained especially for OpenBSD and available from most
OpenBSD regional mirrors. Often ports are created when software packages
don't compile by default on OpenBSD. The port maintainers massage the source
code of the software to make it work with OpenBSD. In some cases, they even
make security audits to make the source more secure.

Method 1: Downloading ports from CVS

If you're already downloading the kernel and system sources, don't forget you can hit

It is also possible to download ports that correspond to the major OpenBSD version release. In most cases, there is no
reason to do so because the most recent imports to the CVS server will likely have security updates to software packages
since the major release of OpenBSD, therefore the

-rOPENBSD_3_2

option was left off of the example.

Even if you're on a T1, downloading sources and ports will take a while. Get up and strech. Get something to drink. Go to the bathroom.
Make some phone calls. Check your email. You're cheering for src to finish first because that's what you'll need to work with first.

Method 2: Install ports from CD

This is often the choice if you already have ports.tar.gz downloaded and don't want to wait for it again. If you have the
official CD from openbsd.org, ports.tar.gz is on the last CD. If you created your own cd, you know where it is.

Method 3: Ports from FTP

lynx will ask you some questions. The sequence of answers
is 'D' for download, '[enter]' to save to disk, '[enter]' again to accept the
default filename, 'q' to quit, and 'y' to say you really want to quit.

Updating packages

No matter which method you used to istall, there are some packages you will probably want to
update individually. Since the OpenBSD 3.2 release, MySQL has has some security patch releases and
Snort has had a new release with a newer rule parsing method. If you already set the CVSROOT
and haven't rebooted, you don't have to set it again until you reboot.

Updating the system kernel, binaries, and libraries

You need to update the system kernel. Don't skip this part. You need to compile your updated kernel source
and compile your system binaries and libraries again before moving on. Don't skip steps. Why? Any programs
from this point that you compile against security vulnerable kernel hooks or system libraries could have the
vulnerabilities linger even after you compile a new kernel, binaries, and libraries. Compile the kernel, reboot,
and recompile the system files.

Compile a new kernel

Then reboot. You must reboot before moving on to make use of the newly patched kernel.

# shutdown -r now

The -r is for reboot. If you want to shutdown a machine, use -h for halt.

Compile new system files (binaries and libraries)

# cd /usr/src
# rm -r /usr/obj/*
# make obj && make build

You're recompiling everything installed on your system except your kernel, which you already did.
This process will take a long time on an old machine.
Rebooting when you're done isn't mandatory, but you should do it for good measure.

Download, compile, and install software from ports

The cool thing about using ports is that with one command, all the downloading, compiling, patching,
installing, and cleanup is done with one command and is specifically tailored for OpenBSD. If you
watch the installation, it also downloads all the libraries and dependencies that the programs
you're installing might have.

Installing text editor (nano)

OpenBSD, and most other BSD and Linux operating systems come with VI as their default editor, however
VI has a big learning curve. If you're feeling confident with your
Google skills, learning VI will benefit you in the long run.

Since VI has a big learning curve and you probably just want to get the system up, nano
is a much simpler text editor which will give you the basic file editing funcitonality you'll need
to get the job done.

# cd /usr/ports/editors/nano
# make install clean

OpenBSD won't pick up the nano installation right away. It is not in the path. What that means is
until you restart, you'll have to type the full path to the nano executable. You make the choice.
Reboot or just type the full file path until the next reboot. You won't have to edit files
for a bit, so it can wait.

Compile and install Snort

The snort intrusion detection system is available in ports. Here we will be adding a "FLAVOR"
to the snort installation which changes the default install options. Normally snort writes all
the intrusion hits to files, but we're going to want them stored in a MySQL database. If you're
curious about the options available for snort install, you can do this:

# cd /usr/ports/net/snort
# make show VARNAME=FLAVORS

The documentation for snort will explain better what
each option does. This is merely an installation guide. For the purposes of this installation,
do the following:

# cd /usr/ports/net/snort
# env FLAVOR="mysql flexresp" make install

If you sit and watch the installation process, you will notice that MySQL will also
automagicly download, get patched, configure, compile, and install. For your information,
since the OpenBSD 3.2 release, MySQL has released new versions of MySQL that fix
security vulnerabilties. This should not be a problem for an invisible firewall because
nobody should have rights to either use the MySQL console client or connect to the MySQL
socket. This will be discussed later in this paper.

Install PHP

If you are experienced with using the FLAVORS
environment variable, you can alter the PHP install to cut install time.
An example FLAVOR is shown. It excludes most of the extensions from the PHP
install so you have a shorter install time and don't install a
lot of software you won't use.

As you can see, we're leaving out a lot of the functions of PHP, but we don't need them.
All that should be left are the MySQL database and GD graphic library extensions. You still
need to actually install them:

If you can't find those lines in your httpd.conf file, look harder or just add the lines as
you see them above. If there are other file extensions you want to be parsed by
the PHP engine, you can add them to the first AddType line too if you want. Some
people add .html to obscure the engines running their website. This can be
inefficient if you also have a many regular html files that do not contain PHP
which will require PHP to examine the files anyway.

Save your httpd.conf
with CTRL+X and follow the prompts.

Now it might be nice to test your PHP
installation. I delete all the default Apache documents in the web root
directory. You can skip that if you want.

# cd /var/www/htdocs
# rm -fr *
# /usr/local/bin/nano phpinfo.php

You're creating a file named phpinfo.php. In it, you want to put:

<?php phpinfo(); ?>

Save it and test it:

# apachectl start
# lynx localhost/phpinfo.php

If you see a page that has a bunch of information about PHP, all went well.
If you see just phpinfo(); then you messed up somewhere. Go back and make sure you did
everything. This won't prevent you from installing Snort, but it will definately
keep ACID from working, which is one of the best Snort log HTTP-based viewers.

Setup Apache SSL

OpenBSD ships with an SSL-ready httpd and RSA libraries. For use with httpd(8), you must first have a certificate created. This will be kept in /etc/ssl/ with the corresponding key in /etc/ssl/private/. The steps shown here are taken in part from the ssl(8) man page. Refer to it for further information. This FAQ entry only outlines how to create an RSA certificate for web servers, not a DSA server certificate. To find out how to do so, please refer to the ssl(8) man page.

To start off, you need to create your server key and certificate using OpenSSL:

# openssl genrsa -out /etc/ssl/private/server.key 1024

The next step is to generate a Certificate Signing Request which is used to get a Certifying Authority (CA) to sign your certificate. To do this use the command:

This server.csr file can then be given to Certifying Authority who will sign the key. One such CA is Thawte Certification which you can reach at http://www.thawte.com/. Thawte can currently sign RSA keys for you. A procedure is being worked out to allow for DSA keys.

If you cannot afford this, or just want to sign the certificate yourself, you can use the following.

With /etc/ssl/server.crt and /etc/ssl/private/server.key in place, you should be able to start httpd(8) with the -DSSL flag (see the section about rc(8) in this faq), enabling https transactions with your machine on port 443.

Start Apache on boot

# cd /etc
# /usr/local/bin/nano rc.conf

Change httpd_flags from NO to "-u -DSSL". Add the quotes too. Be careful about the
comment at the end of the line (# for normal use...) spilling over to the next line. That is bad. If
it does, either get it all on one line again or delete the comment. Hit CTRL+X to save the file.

/var/www

. The -DSSL tells Apache to start up with SSL.
A later section will discuss SSL. If you know you just want to run regular HTTP services through port
80 and don't want SSL through 443, you can leave off the -DSSL and skip the Apache SSL configuration.

Finishing MySQL Install

Check /etc/rc.conf to make sure that the following line is at
the bottom:

local_rcconf="/etc/rc.conf.local"

# cat /etc/rc.conf

The line should be there, but if for some reason it isn't,
add it with nano.

/etc/rc.conf.local

should not exist. If it does or if it
doesn't, do exit nano and do the following:

# echo "mysql=YES" >> /etc/rc.conf.local

Using

echo

is just shorthand so you don't have
to use an editor to edit a file. If the file doesn't exist, it will be created.
If it does exist,

The second line will try to connect to MySQL. You can either
connect or you can't. A connection is good. The password is blank if you did not
set it before. Type

exit

to get out of mysql. When you reboot, you
should see

mysqld

in the local daemons list just before logon.
Now might be a good time to change the default root password
to your MySQL server:

# /usr/local/bin/mysqladmin -u root -p password 'new-password'

If it's a single user machine and you properly deny outside
connections to MySQL, you might be fine leaving the root password blank. Later
in this tutorial, we will configure the server to not accept connections
on on the MySQL socket from anywhere other than localhost.

If you think you know what you're doing, now might be a good time
to stop mysqld and move /var/mysql to another drive if you've got
a multiple drive system. For example, you might have created a
/misc partition during installation on a second hard drive. Then
you could move /var/mysql to it and edit the datadir var in
/usr/local/share/mysql/mysql.server and /etc/my.cnf to point to
the new db storage directory.

Snort

Snort is a free intrusion detection system.

Configure Snort

Now you need to configure MySQL to have a user and table to store Snort alerts:

Now you will need to decide which interfaces in your machine will do what.
Pick the one that will be on the inside of the firewall. In the example machine, we have
one administration NIC with an IP address assigned, and two more, one for the outside of the
firewall and one for the inside. For the sake of this example, xl1 will be the interface on the
inside of the firewall.
Add this to the bottom of your

line will be longer than the screen, so get it to fit on one line when
it spills over to the next. If you are using VI, you don't have to worry about things like that,
because when you edit a file with VI and a line spills over, it does a wordwrap instead of a
line break like nano. Also note the

-i xl1

which corresponds to the interface on the
inside of the firewall. Then we can import the Snort database information into MySQL:

and edit snort.conf.
The file will explain what variables do what. Defaults will probably work
if you're scared to change the file. The only thing you absolutely have to change
is find the mysql log line, uncomment it, and change the login information for
each of the variables on the line, otherwise you won't be able to view the snort logs
from ACID.

To log to MySQL for ACID, you will need to find the database section, uncomment
the line for MySQL in

snort.conf

, and change the connection details.
Just make sure you read the whole configuration file.

and edit snort.conf to add the additional rules files
that aren't in the distribution and point the rules location to

/etc/snort/rules

Create firewall network

If you want a NAT configuration, you'll need a LAN IP for an interface on the
inside of the network. Choose a network device not in use. We'll assume that
xl0 right now is configured with an external world address. Edit hostname.xl1.
Nano and vi will create it if it's not there already. Put this line in it:

inet 10.0.0.250 255.255.0.0 NONE

To create IP aliases for the same network interface, the file would look like:

After you reboot, the hostname.xxx file will automaticly do ifconfig for you.

The other choice is creating an invisible passthru firewall. Either way, if you want
extra interfaces to go to the internal network interface and have them bridged together,
you'll need to create invisible interface configurations for the other NICs.

# ifconfig xl2 up
# echo "up" > /etc/hostname.xl2

Make sure you don't create a hostname file for the wrong interface. If you echo "up" to the
interface hostname file you're using to get on the internet, you won't be able to get on the internet until you
go back and replace up with the correct internet configuration. The interface you should have
configured by default during the install was

xl0

While you're at it, now is a good time to add the second invisible interface for the firewall.

# ifconfig xl3 up
# echo "up" > /etc/hostname.xl3

Now you can bridge them together. Your bridge configuration will list all the
network interfaces for your internal network. For an invisible firewall, that should be
two interfaces. For a NAT machine, the PCI slot number is the limit. Create
/etc/bridgename.bridge0

Now you'll probably want to put a password on the access to Apache. Edit
/var/www/conf/httpd.conf, find the directory directive for /var/www/htdocs and change
AllowOverride from None to All. This will allow us to use .htaccess files to change
permissions of directories in the Apache web directory. An .htaccess file in a directory
provides specific instructions for permissions to that specific directory. In this
example, we will create an .htaccess file in the root directory, thereby blocking off
all unauthorized access.

Clear console on logout

Clearing the console isn't nessesary to get your firewall up and running, but it
does add an extra layer of security to sensitive information you might enter in the console.
When you log out, it will automaticly clear away for you.
To do this you must add a line in

/etc/gettytab

. Change the current section:

P|Pc|Pc console:\
:np:sp#9600:

adding the line ":cl=\E[H\E[2J:" at the end, so that it ends up looking like this:

P|Pc|Pc console:\
:np:sp#9600:\
:cl=\E[H\E[2J:

Changes will be immediate. Next time you log out, the console will clear.
You can get the same result by typing

clear

at the prompt, but who wants
to remember to do that every time.

Lockdown single user mode

One element of security often overlooked is physical security. The OpenBSD developers
built a "feature" into OpenBSD called single user mode. Single user mode allows you, if
you are at the keyboard, to boot into the system to do recovery or diagnostic work.
Under normal circumstances, booting into single user mode gives you automatic root access,
without asking for a password. Single user mode is also often used for password recovery
when nobody can remember the root password. You can make single user mode ask for the root
password.

Edit

/etc/ttys

to change the current line:

console "/usr/libexec/getty Pc" vt220 off secure

to insecure

console "/usr/libexec/getty Pc" vt220 off insecure

Deny remote root login

Root has the power to do anything to a system. Here we'll add a user that has very little
power to change files on the system.

# adduser

If you decided not to install Snort, the

adduser

command will ask for default
user account values. Just hit enter to accept each of the default values in brackets. Then
follow the prompts to create a user.

Don't make the administrator password the same as the root password. If someone compromised
the system, was able to read /etc/passwd and noticed that the administrator password hash
is the same as the root password, you're double login protection is wasted. If you're
already familiar with a particular shell, you can pick something other than csh. Default
is sh, but root's default is csh.

Edit

/etc/ssh/sshd_config

and change

#PermitRootLogin yes

to

PermitRootLogin no

Now that you can no longer log in as root remotely, when you log in as administrator over
ssh, you'll have to use the

su

command to become a super user. It will ask
you for a password. When it does, type in the root password and you will be root. This is
only possible because when you created the administrator user, you added them to the wheel
group, which is where super users go. Only users in the wheel group can become a super user
from

su

. When you're done being a super user, type

exit

to become
a regular user again. The

su

will make a log of when and where someone
becomes a super user.

Configuring the firewall

Remember, this section was written for OpenBSD 3.3. These rules might work on other
OpenBSD installations >=3.0, however that doesn't mean that they're right.

Enable IP forwarding

Edit

/etc/sysctl.conf

. Uncomment

net.inet.ip.forwarding=1

.
While you're in there, you could uncomment

vm.swapencrypt.enable=1

.

Create invisible interfaces

For this example,

xl0

is our administration interface, which will have an IP assigned
and firewall rules to allow only SSH and HTTPS connections. The invisible interfaces are

xl1

,

xl2

, and

xl3

.

There are some fine details of creating a bridge between network interfaces for a firewall.Rule 1: Always filter on one interface.Rule 2: Don't filter on the other interfaces.

Remember, the computer doesn't know which interface leads to the internet and which goes to
a crossover cable for a server. When you bridge interfaces, you are essentially creating one
virtual interface.

What the rules have done is block all traffic that's not associated with the computer behind the firewall
that has the MAC address of 00:BB:A0:33:3A:D1. If it either isn't headed to or from the machine with
00:BB:A0:33:3A:D1, it won't get passed. If you decide to use bridge rules with MAC addresses, you'll have
to maintain a current ruleset of MACs, otherwise don't use bridge rules at all. Note:Experience has shown this author that MAC filtering in this style is not 100% good 100% of the time. If you decide you want MAC address filtering, make sure you test a lot. Merely adding the interfaces should be enough for most firewalling situations.

Note that the packet filter reads traffic on the IP level. In other words, it won't filter traffic based
on MACs, just source and destination IPs by port number and traffic type. The bridge is the only place
to filter by MAC and the packet filter is the only place to filter by IP.

Configure static network interface

If you already configured the administration static IP you want during the OS install, you can
skip this section.

To switch from DHCP to static or to fix a mess-up if you echoed "up" into the wrong hostname file,
you need to edit the hostname.if file for the interface you're using.
In the example, the contents of

/etc/hostname.xl0

should be

dhcp NONE NONE NONE

for a DHCP environment. To change it to static, change it to match

echo "inet 192.168.0.200 255.255.255.0 NONE" > /etc/hostname.xl0

Note that the hostname.if file doesn't contain the gateway IP. That is stored in a different file.

echo "192.168.0.1" > /etc/mygate

To activate the gateway address, you'll have to restart. There are ways to activate it otherwise,
but saying to restart is much simpler. You can do the research if you don't want to reboot.

Setting up the packet filter (PF)

First turn PF on. Edit

/etc/rc.conf

.

PF=YES

and then turn PF on without having to reboot.

# pfctl -e

You will not get enough information about packet filtering from this tutorial to be well versed.
Minimally, you need to read these two documents and understand them or you're wasting your time
with this firewall.

to get the manual for the packet filter right from your machine. To exit the man pages viewer, hit the "q"
key or scroll all the way down to the end of the document. Page Down will get you there faster.

Here is a ruleset you might use to start an invisible passthru firewall. It uses the
slower bracketed blocks of IPs that expand into separate rules to check against incoming
and outgoing traffic.

file. If you want to let NTP through the firewall,
it is port 123/udp.

Symon

Symon is a system monitor that lets you view the status of the CPU, memory, PF, NICs,
and misc services running on the system. It uses PHP and a combination of a
server (symux) and monitor that reports to the server (symon). It stores the data
in a special type of database for continuous data collection called rrdtool.

# cd /usr/ports/sysutils/symon

Versions of Symon 2.60 and before have an installation bug that doesn't install all the
PHP scripts that are needed for viewing services from Apache, so this will bypass some
of the post-installation instructions to do some manual configuration. Symon 2.61 should
have a fix to the installation bug.

Edit

/usr/ports/sysutils/symon/Makefile

. Since you have already custom
installed PHP, you don't want the Symon install to do the generic one again. Change